Why Specialised Security Testing for Mobile Apps is Necessary
As a part of an overall defence strategy, testing the defenses is a key thing. The tests are carried out using multiple techniques and consist of conducting:
- Vulnerability Assessment
- Penetration Testing
The mobile app Security Vulnerability & Penetration Testing is conducted to exploit the known and unknown (zero-day attacks) vulnerabilities/ loopholes in your mobile application for both iOS and Android ecosystems. The Penetration Testing exercise uses the inputs from Vulnerability Assessment and checks for feasibility of data leakage/ unauthorized access.
There are various types of scenarios tested
- Black Box: No knowledge test and exploit. Classic outsider scenario
- Grey Box: Partial knowledge and Partial access. Can we do more – is the target objective of this exercise. This is a scenario where the unauthorized actor has gained some information and is now trying to use and exploit that information
- Combo tests: These are a mixture of Black box and Grey box and includes Source Code review to check for potential leakages.
How we do this at Arrka? The Arrka approach is:
- Check for ‘breadcrumbs’ – The mobile application is evaluated for permissions, data leaks, privilege escalation, and transmission of data during the interface with the backend, works on rooted/jailbreak devices
- For all such exploits identified, Run tools and manual scripts to breach using the exploit. We have our own scripts and attack vectors as well as other tools.
- Generate report with recommendations for mitigation (including configuration changes)
We believe all tools if configured correctly for the mitigation of the risk, perform well. We focus on existing tool configuration first and bring this to an acceptable risk level. Our recommendations are a combination of techniques required for closure of the mitigation.
We use multiple frameworks like OWASP, NIST, various cyber security regulatory guidelines and our own knowledge base for defining the attack vectors and scenarios.
For further details, do contact us.
Please note that for getting a complete risk posture, it is optimal to combine Vulnerability testing with Privacy testing